EP0781451B1 - Reactor protection system - Google Patents

Reactor protection system Download PDF

Info

Publication number
EP0781451B1
EP0781451B1 EP96923742A EP96923742A EP0781451B1 EP 0781451 B1 EP0781451 B1 EP 0781451B1 EP 96923742 A EP96923742 A EP 96923742A EP 96923742 A EP96923742 A EP 96923742A EP 0781451 B1 EP0781451 B1 EP 0781451B1
Authority
EP
European Patent Office
Prior art keywords
scram
division
rps
reactor
sensor
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
EP96923742A
Other languages
German (de)
English (en)
French (fr)
Other versions
EP0781451A1 (en
Inventor
Donald Chester Gaubatz
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
General Electric Co
Original Assignee
General Electric Co
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Family has litigation
First worldwide family litigation filed litigation Critical https://patents.darts-ip.com/?family=27054121&utm_source=google_patent&utm_medium=platform_link&utm_campaign=public_patent_search&patent=EP0781451(B1) "Global patent litigation dataset” by Darts-ip is licensed under a Creative Commons Attribution 4.0 International License.
Priority claimed from US08/502,337 external-priority patent/US5586156A/en
Priority claimed from US08/502,411 external-priority patent/US5621776A/en
Application filed by General Electric Co filed Critical General Electric Co
Publication of EP0781451A1 publication Critical patent/EP0781451A1/en
Application granted granted Critical
Publication of EP0781451B1 publication Critical patent/EP0781451B1/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G21NUCLEAR PHYSICS; NUCLEAR ENGINEERING
    • G21DNUCLEAR POWER PLANT
    • G21D3/00Control of nuclear power plant
    • G21D3/001Computer implemented control
    • GPHYSICS
    • G21NUCLEAR PHYSICS; NUCLEAR ENGINEERING
    • G21DNUCLEAR POWER PLANT
    • G21D3/00Control of nuclear power plant
    • G21D3/04Safety arrangements
    • GPHYSICS
    • G21NUCLEAR PHYSICS; NUCLEAR ENGINEERING
    • G21CNUCLEAR REACTORS
    • G21C17/00Monitoring; Testing ; Maintaining
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02EREDUCTION OF GREENHOUSE GAS [GHG] EMISSIONS, RELATED TO ENERGY GENERATION, TRANSMISSION OR DISTRIBUTION
    • Y02E30/00Energy generation of nuclear origin
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02EREDUCTION OF GREENHOUSE GAS [GHG] EMISSIONS, RELATED TO ENERGY GENERATION, TRANSMISSION OR DISTRIBUTION
    • Y02E30/00Energy generation of nuclear origin
    • Y02E30/30Nuclear fission reactors

Definitions

  • This invention relates generally to protection systems for shutting down a system and maintaining it in a safe condition in the event of a system transient or malfunction.
  • the invention relates to protection systems for shutting down a nuclear reactor and maintaining it in a safe condition in the event of a system transient or malfunction that could cause damage to the nuclear fuel core, most likely from overheating, or a release of radiation, endangering the public.
  • reactor control systems have automatic and manual controls to maintain safe operating conditions as the demand is varied.
  • the several control systems control operation of the reactor in response to given demand signals.
  • Computer programs are used to analyze thermal and hydraulic characteristics of the reactor core for the control thereof. The analysis is based on nuclear data selected from analytical and empirical transient and accident events, and from reactor physics and thermal-hydraulic principles.
  • the reactor operator In the event of an abnormal transient event, the reactor operator is usually able to diagnose the situation and take corrective action based on applicable training, experience and judgment. Whether the manual remedial action is sufficient or rapid enough depends upon the event and upon the operators knowledge and training.
  • a reactor trip also referred to as reactor shutdown, scram, or insertion of all control rods
  • Some transient events may occur quickly, i.e., faster than the capability of a human operator to react. In such an event, a reactor trip will be automatically effected.
  • a conventional nuclear reactor protection system comprises a multichannel electrical alarm and actuating system which monitors operation of the reactor, and upon sensing an abnormal event initiates action to prevent an unsafe or potentially unsafe condition.
  • the conventional protection system provides three functions: (1) reactor trip which shuts down the reactor when certain monitored parameter limits are exceeded; (2) nuclear system isolation which isolates the reactor vessel and all connections penetrating the containment barrier; and (3) engineered safety feature actuation which actuates conventional emergency systems such as cooling systems and residual heat removal systems.
  • An essential requirement of a nuclear reactor protection system is that it must not fail when needed. Therefore, unless the operator promptly and properly identifies the cause of an abnormal transient event in the operation of the reactor, and promptly effects remedial or mitigating action, conventional nuclear reactor protection systems will automatically effect reactor trip. However, it is also essential that reactor trip be avoided when it is not desired or necessary, i.e., when there is an error in the instrumentation or when the malfunction is small enough that reactor trip is unnecessary or when one shutdown function fails, the reactor protection system must not perform the next shutdown function if to do so would be unsafe.
  • a reactor protection system for initiating a scram in a nuclear reactor in response to monitoring of a critical reactor parameter, comprising:
  • the present invention is a reactor protection system (RPS) having four divisions, with quad redundant sensors for each scram parameter providing input to four independent microprocessor-based electronic chassis.
  • Each electronic chassis acquires the scram parameter data from its own sensor, digitizes the information, and then transmits the sensor reading to the other three RPS electronic chassis via optical fibers.
  • the RPS employs two levels of voting on a need for reactor scram.
  • the electronic chassis perform software divisional data processing, vote 2/3 with spare based upon information from all four sensors, and send the divisional scram signals to the hardware logic panel, which performs a 2/4 division vote on whether or not to initiate a reactor scram.
  • Each chassis makes a divisional scram decision based on data from all sensors.
  • Each RPS division performs independently of the others (asynchronous operation). All communications between the divisions are asynchronous.
  • the reactor protection system logic is designed to provide fault tolerance, enhanced reliability, increased availability and improved separation.
  • Features of this system include the ability to have a failed sensor without reducing the level of protection or increasing the likelihood of an inadvertent reactor trip.
  • the design in accordance with the present invention eliminates the need for manual bypasses, virtually eliminates the need for operator action, and achieves fault tolerance without custom design components.
  • the RPS is designed to withstand multiple failures in almost all of its components. Its logic has the following major performance enhancement characteristics:
  • the reactor protection system of the invention will be described in detail hereinbelow in terms of application to an exemplary nuclear reactor (namely, a liquid metal-cooled breeder reactor). However, it should be noted that the concept is not limited to breeder reactors but is also applicable to light water reactors, gas-cooled reactors, etc.
  • the invention also provides a highly reliable, fault-tolerant safety system which can be employed with any process or system where critical parameters are monitored for the initiation of a safety action.
  • the reactor protection system in accordance with the present invention is a four-division system, with quad redundant sensors 2 for each scram (safe shutdown - also called "trip") parameter providing input to four independent microprocessor-based electronic chassis 4.
  • the electronic chassis perform software divisional data processing based upon information from all four sensors and send the divisional scram signals to a hardware logic panel 6.
  • the RPS employs two levels of voting on a need for reactor scram: a software 2/3 with spare voting on the need for scram from the sensed data, followed by a 2/4 division hardware logic vote on the execution of a scram command.
  • Each RPS division acquires the scram parameter data from its own sensor, digitizes the information, then transmits the sensor reading to the other three RPS divisions.
  • Each electronics chassis 4 is coupled through dedicated optical fibers 8 to the other three so that each chassis sees and makes a divisional scram decision based on data from all sensors.
  • Each division evaluates the data from the other three divisions (e.g., division A processes the data from divisions B, C and D), while holding its own data as "spare".
  • division A evaluates B, C and D data and votes 2/3 for scram
  • division B evaluates A, C and D data and votes 2/3 for scram
  • division C evaluates A, B and D data and votes 2/3 for scram
  • division D evaluates A, B and C data and votes 2/3 for scram.
  • the processing division automatically substitutes its own sensor reading. A 2/3 software vote is taken on the need for scram by each division. If a scram is called for, each division outputs a scram command to its own 2/4 hardware logic relays. If all cross communications between divisions for the exchange of data should fail, each division independently evaluates the need for scram based on its own sensor readings. The hardware logic continues to require 2/4 divisions to call for scram before the scram sequence is begun. This failure mode (no cross communications) means the RPS is performing like a conventional quad redundant, protection system.
  • the automatic substitution of a division's own sensor data, in the event of invalid or missing data from the other divisions, means that no bypassing is required for divisional testing, calibration, servicing, maintenance, repair or replacement.
  • a "failsafe" scram command is issued by that division to the 2/4 hardware logic (a "half scram” condition for the conventional protection system).
  • the "half scram” is shielded from inadvertent scram action by each operating division's software logic requiring 2/3 sensor readings to indicate a need for scram before sending a scram command to the hardware logic.
  • the reactor parameters used by the RPS for scram are neutron flux, core inlet and outlet temperature, primary flow (calculated from core inlet sodium and cover gas pressure sensors), and sodium level in the reactor.
  • the RPS scram parameters include secondary sodium (intermediate loop) pressure and containment radiation level and pressure. All design basis events for which scram is required (such as transient overpower, loss of primary flow, IHX rupture, vessel leak, excessive pressure in the secondary from a steam generator sodium-water reaction) are sensed through deviations in these parameters.
  • the neutron flux is measured by monitors located within conduits at the reactor bottom A (see Fig. 4).
  • Core inlet temperature is measured by thermocouples located in the discharge plenum of each pump C.
  • Core outlet temperature is measured by thermocouples located approximately 5 ft above the core to obtain the mixed mean outlet temperature rather than the outlet temperature of a single assembly D.
  • Primary flow is derived from measurements by pressure sensors located in the discharge plenum of each pump C and in the cover gas region E.
  • Primary sodium level is measured by conventional level sensors inside the reactor G.
  • Secondary sodium pressure is measured by pressure sensors in the secondary pipes outside the reactor but close to the IHTS valves F. All sensors are located within instrument thimbles or conduits for easy servicing and replacement. Quad redundancy is maintained for each RPS trip parameter.
  • each RPS sensor is shown in FIG. 4. These sensors are as follows: A) neutron flux; B) sodium leakage (into the space between the reactor vessel 101 and the containment vessel 105); C) core inlet temperature, EM pump pressure, TSS pump temperature; D) core outlet temperature; E) cover gas pressure; F) IHTS pressure; G) sodium level (level probe 134); H) carriage bottomed switches; I) rod stop position; J) carriage position; K) upper containment radiation; L) CVIS effluent radiation; M) RVACS exit temperature; N) RVACS mass flow; 0) RVACS effluent radiation; P) ambient air temperature; and Q) containment pressure. All penetrations for in-vessel sensors and actuators are made through the reactor head. There are no penetrations in the reactor vessel walls. The sensor and actuator cables come out through penetrations in the domed containment to the RPS electronics located in the RPS vaults. There are no RPS electronics in the reactor or containment.
  • the RPS In addition to having scram action based upon the direct measurement of parameters, the RPS also uses these data in calculations (ratios, rate of change, event counting, correlations, time between events, levels, percentages, etc.) as the basis for scram action.
  • the RPS minimizes the need for human intervention by having three distinct modes of automatic operation: (1) Shutdown/Maintenance reactor shutdown, not operating; (2) Startup/Operate normal reactor operation; and (3) Scram - reactor emergency shutdown.
  • the operator input to the RPS is well defined and limited.
  • the Shutdown/Maintenance mode normal reactor maintenance, refueling, testing and calibration activities can occur.
  • the RPS responds to operator requests to permit the necessary maintenance activities.
  • the RPS does not permit actions that could lead to reactor power operation.
  • the operator When reactor power operation is desired, the operator must request a mode change to the Startup/Operate mode.
  • the RPS In response to an operator input request to change to the Startup/operate mode, the RPS first satisfies itself that all monitored parameters and its own operation are nominal. Part of the RPS startup checking includes a comparison of all RPS software (including setpoints) with a fifth software file, independently maintained by the control room reactor operators. This comparison is made by the plant control system (PCS) with the RPS awaiting a positive response before continuing with the mode change. If there is even a one-bit error, the RPS will not transition to the Startup/ Operate mode until the discrepancies have been resolved. The RPS then facilitates reactor startup and operation. In the Startup/operate mode, the RPS only responds to two operator input requests: SCRAM or Return to the Shutdown/Maintenance mode.
  • SCRAM plant control system
  • a SCRAM request causes the RPS to interrupt its current data processing, etc. and immediately begin the reactor scram sequence.
  • a request to return to the Shutdown/Maintenance mode is only executed if the control elements have been placed in their fully inserted position (minimum reactor power) as for shutdown, refueling and or maintenance. If the control elements cannot be fully inserted, a SCRAM request must be issued for the protection system to initiate a scram sequence and shut the reactor down.
  • the RPS executes a scram sequence automatically or in response to an operator input request, the RPS enters the Scram mode. In this mode, the reactor is fully shut down and, presumably, cooling. The only recovery from the Scram mode is a manually input request to return to the Shutdown/Maintenance mode. This satisfies a "Deliberate operator action to return the safety systems to normal" requirement and begins recovery from scram.
  • the RPS must be operational before the PCS can operate.
  • a request for a normal change from the Startup/operate mode to the Shutdown/Maintenance mode will be honored only if all control rod carriages are "bottomed" and the reactor is at shutdown power.
  • a transition from the Startup/Operate mode to the Scram mode can be made at any time by manually initiating a scram.
  • a manual scram may be started from any of several locations.
  • manual scram may be started by simultaneously pressing two dedicated safety system Scram buttons that bypass all electronics.
  • An electronic scram is automatically invoked as a backup action to the manual command.
  • Scram buttons are located at the operator's console 72 in the main control room (MCR) 74 or the console 76 in the remote shutdown facility (RSF) 78, and at the control panel for each division of the RPS.
  • manual scram may be started by requesting the RPS to initiate a scram sequence by typing an appropriate command on a computer keyboard communicating with the RPS.
  • the keyboard may be at the operator's console in either the MCR or the RSF, at the control panel for each division of the RPS in the RPS instrumentation vaults 82 or at the control panel for each division of the PCS in the PCS instrumentation vaults 84.
  • the vaults are supported on a seismically isolated reactor base mat.
  • the RPS of the present invention is divided into four identical divisions, each located within its own seismically isolated instrument vault 82 adjacent to the reactor upper containment area 114 (see FIG. 4). Each division is provided with its own sensor for each measurement parameter. Thus, there are four identical sensors for each monitored parameter.
  • a division consists of a multiplexer 200 connected to a sensor 2 and a reference voltage 201. The selected voltage is then amplified by a controlled gain amplifier 202 and filtered by a bandwidth adjustable filter 204. The filtered signal is sampled by sample and hold circuit 206 and digitized by analog-to-digital converter 210. The sensor verification flag is set by the sensor verification circuit 208. The digitized parameter value and its associated sensor verification flag are stored in buffer memory 212.
  • Digital signals are input at this point 214.
  • Digital inputs include the hardware logic diagnostics, carriage bottomed switches, valve position sensing switches, rotating plug seated and locked interlocking switches, "card out of file” sensors, etc.
  • the data in buffer memory 212 is then communicated to the other divisions, to the data handling and transmission system (DHTS) and to the RSF via data exchange output 220.
  • DHTS data handling and transmission system
  • data exchange output 220 Conversely, data from the other divisions, from the DHTS and from the RSF is received via exchanged data input 222 and stored in buffer memory 224.
  • the central processing (software logic) unit then evaluates the data values and flags (step 226), processes the data if necessary (step 228), inputs the new data into the limited historical data file 230, tests the parameter value against the set point retrieved from read only memory 234, performs the 2/3 with spare vote (step 236), and then outputs a scram command (step 238), if required, to the 2/4 hardware logic 6, which also receives trips from other RPS divisions and manual scrams from the MCR, RSF or RPS.
  • the vote results, scram command and parameter values are output to a display processor 240, which converts the parameter values into engineering units. This information is then displayed on local display 244.
  • the display processor also receives data from other RPS divisions via optical fiber 239 and data input by the operator via keyboard 242.
  • the 2/4 hardware logic changes state and, depending on whether the safety actuator 36 is to be turned on or turned off, either opens or breaks the connection between the safety actuator and its power supply circuit 38.
  • hardware logic 6 controls the supply of power from dual uninterruptible battery-backed power supplies 38 to the control rod latch coils 102 of a liquid metal reactor.
  • the four divisions of the RPS operate asynchronously, in parallel (with inter-divisional data exchange) as a single fault-tolerant system.
  • the four divisions share their sensor data via inter-divisional optical fiber cables.
  • Two levels of voting (software followed by hardware) are employed to reduce spurious scrams, eliminate the need for bypassing and maintain a high reliability for initiation of a safe shutdown sequence when needed and provide a high protected system availability by preventing spurious scrams.
  • Each division votes 2 out of 3 on the data from the other three divisions (with each division holding its own sensor data as spare) to determine whether scram should occur.
  • Each division's output goes to trip breakers in the actuator power circuit arranged to provide a hard-wired 2 out of 4, failsafe logic for each RPS actuation.
  • the 2 out of 3 with spare software voting in each division is accomplished by fully qualified software.
  • the 2 out of 4 inter-divisional voting for safe shutdown is accomplished by hard-wired logic utilizing optically isolated relays, contactors, or breakers.
  • the term "breakers" encompasses relays, contactors or breakers.
  • a division holds its own sensor's data as spare while processing the data obtained from the other three divisions. If any data is missing or fails to verify or validate, the division will automatically substitute its own sensor reading. If a division's own sensor data is also faulty, the division will evaluate the need for scram based upon the remaining two good communicated sensor readings. A division will evaluate the four sensor readings to assure "sameness", then continue to process the information and vote 2 out of 3 on the need for a trip. If a trip is called for, the division will actuate its trip breakers in the 2 out of 4 hard-wired logic network. With this logic, one division may fail or be taken out for service and returned at any time without causing a trip or requiring a bypass. Two sensors for a safety parameter are still required to indicate the need before a scram command will be issued even if one division is not operating. The off-line division will automatically be accepted back on-line without the need f or any special procedures or software.
  • each division reads only its own sensor and gives a divisional scram on the basis of 1/1 logic.
  • the conventional protection system will result in a scram if any one of the other sensors indicates scram or fail (making it prone to inadvertent scrams), whereas the RPS still requires two of the remaining good sensors to indicate scram before it issues a trip command.
  • the improved resistance to inadvertent scrams permits one division of the RPS to be taken off-line automatically for periodic end-to-end self testing and calibration, service or replacement. There is no need for any manual switching or bypassing. This is because even if one division is taken off-line, the other divisions retain their 2/3 sensor scram software logic such that it still takes two sensor readings exceeding the scram set point to result in the execution of a scram.
  • a division may be taken off-line for service at any time without the need for a bypass, without fear of an inadvertent scram, without any reduction in the protection offered, and without the need for any special consideration to bring the division back on-line.
  • the elimination of manual bypasses reduces the incidence of inadvertent scrams due to operator error. In the presence of two failed sensors for a given parameter, the RPS will modify its software to a 1/2 logic and issue a trip command if either of the two remaining good sensors indicates the need for a trip.
  • Each division of the RPS electronics receives sensor inputs either by direct analog or digital connection or through a sensor signal conditioning device. There is no data bus between the RPS electronics and the sensors. All division sensor inputs appear continuously on that division's input cards and are read in by commands from the division's central processing unit (CPU). Referring to FIG. 3, the input data processing for each trip sensor consists of the following steps:
  • All four RPS divisions perform this input data processing in parallel, asynchronously, with their own sensors, continuously and in real time.
  • Each division sends its data to all other divisions via optical fiber cables 8 (FIG. 1) which provide electrical isolation.
  • This inter-division, asynchronous, cross communication provides for sensor data exchange between the divisions.
  • the data exchange function allows each division to have all four sensor readings for a given parameter along with a processing division identifier and flags that delineate the validity of the data.
  • Data are exchanged through serial data ports.
  • Each RPS division has three output and three input ports for this purpose.
  • each division When data are ready to be exchanged, each division sends the information to the other three divisions and to its own data processor.
  • the incoming data from the other divisions are stored in buffer memories 224 (FIG. 3) (to accommodate the asynchronous operation of each division) prior to being evaluated for the trip function.
  • the buffer memories accommodate the division's own information. The four data readings are then ready to be processed and voted upon for the determination of the need for a divisional scram command output.
  • each division has all four sensor readings and flags (contained in four "identical" data words) to work with for each polled observation.
  • each word is received by a division it is stored in a buffer memory 224, and then recalled and tested to see if the sensor reading is good as determined by the status of the sensor verification flags (block 226 in FIG. 3). If verified, the sensor readings are checked against each other for uniformity. Then the sensor readings are passed through for any necessary calculations (block 228) and software voting (block 236) (see FIG. 6). Computed parameters such as rate of change and ratio require additional calculation steps (added software routines but no additional hardware).
  • scram parameters After all scram parameters are calculated, they are compared to a safety set point. If 2 out of 3 exceed the set point for any parameter, a scram signal is issued from that division (block 238 in FIG. 3), actuating its 2/4 hardware logic relays. If two or more divisions issue scram signals, a reactor scram will occur.
  • the RPS uses hardware logic 6 to perform a two out of four division vote on the need for a scram. Any two RPS divisions issuing a trip command results in the initiation of a scram sequence.
  • Each actuator 36 has one set of hardware logic connected thereto. Two different types of hardware logic, series and parallel, are used.
  • the series logic consists of switch contacts placed in a series/parallel arrangement such that any two divisional sets of contacts interrupt the flow of current through the actuator circuit.
  • An example of this current interrupt hardware logic is the latch coil holding circuit (see FIG. 7A).
  • the parallel logic consists of switch contacts placed in a series/parallel arrangement such that any two divisional sets of contacts enable current to flow through the actuation circuit, a voltage make logic.
  • FIG. 8A An example of this hardware logic to energize and actuator is illustrated in FIG. 8A.
  • all of the "All contacts are physically located in the RPS Division A instrument vault; the "B" contacts are in the “B” vault, etc. (see FIG. 5).
  • the RPS automatically checks its own performance in two ways. First, it performs a limited test of the electronic components and circuits by injecting a reference voltage 201 as a sensor input and comparing measured response to predetermined values (see FIG. 3). The RPS also automatically performs a periodic, on-line, extended test of an entire division without manually bypassing the division and without resulting in an inadvertent scram. Testing is done from input to output, and includes actuation of the scram hardware logic circuit. All four divisions continually monitor the status of the 2/4 hardware logic components and use this information for test scheduling, confirmation of correct operation, and as a diagnostic to identify problems.
  • Each sensor polling cycle includes sampling of a divisional reference voltage.
  • the reference voltage 201 (see FIG. 3) is treated as a sensor input, sufficient to result in a scram decision. However, the actual output of a scram command is inhibited.
  • the response to this test voltage is diagnostically evaluated for evidence of erroneous performance by a division and, when compared to the input from other divisions, for detection of system performance, reference voltage error, and/or cross communication degradation. If any portion of the system is not performing correctly, the defective item is automatically identified to the smallest replaceable module, and service is automatically summoned.
  • This electronic component test is designed to take place continuously, on-line, by automatic piecewise testing.
  • a normal scram inhibit command continues to be output to the division's hardware logic such that a "half scram" condition is prevented during a limited test.
  • a limited test is performed with each sensor polling cycle. [The reference voltage is polled as if it were a sensor input.] Thus the limited test is "piecewise" continuous. Any problems detected result in a message being output to request timely service.
  • the extended test is designed to evaluate the state-of-health of an entire division, sensor input through output hardware logic.
  • the extended test is the same as a limited test without the inhibited scram output. Thus, the extended test results in actuation of a division's output scram relays. This test is performed by only one division at a time, only if no other division is likewise testing, and only if all divisions appear to be functioning correctly.
  • a division scheduled to conduct a test will first check to see if everything is normal. If not, it will wait for a random amount of time, then try again later.
  • the monitoring of the 2/4 hardware logic by all divisions is used to assure that two divisions do not perform the test simultaneously and cause an inadvertent scram.
  • the limited test is extended by allowing the testing division to issue a scram command to actuate its 2/4 hardware logic components.
  • two of the three active divisions are still required to command a scram before a shutdown sequence is actually initiated.
  • This shields "half scram" condition problems which would occur with a conventional protection system when the testing division sends out a test "scram" signal to the hardware logic.
  • a half scram condition one division's scram relays are opened so that scram from any one of the other divisions results in reactor scram. This is the only time in the testing that the system is in the "half scram” condition.
  • the time for this test segment is equivalent to a normal sensor read period so the chance of inadvertent scram due to simultaneous testing by another division is small.
  • all divisions are software scheduled for testing based upon their monitoring of test activities of other divisions.
  • An extended test is not conducted if any of the four divisions is operating in an off-normal condition. For example, the extended test does not occur during a full division maintenance operation, when the division CPU, power, or digital output cards are inoperative. This puts the full hardware logic into a "half scram" condition. Yet the software logic screen still requires two out of three sensor readings to indicate the need for scram before a scram command is issued. This greatly reduces the chance of inadvertent scrams. Present estimates show that the inadvertent scram probability is acceptably low.
  • the results of a division's extended test are monitored by all divisions by the continuous monitoring of the hardware logic relay contacts (see FIGS. 7 and 8). Each division looks for any contact pair change of state and correct operation. This capability is based upon monitoring the current or voltage at different points throughout the hardware logic circuits. The state of the contacts (with relays actively powered) is continuously monitored during normal operation as an additional digital sensor input. This provides a failure (change of contact state: open to close, or close to open, or failure to change state, depending upon the logic configuration) detection capability during normal operation as well as during testing.
  • the divisional testing feature (either manually requested or computer scheduled) actually operates the relays without causing a scram. Diagnostic sensing confirms the correct operation of the relay contacts or identifies and reports the failure to operate correctly. Each division is able to use the information gathered to assess the health and status of all other divisions.
  • the conduct of the extended test helps to assure that the data processing algorithms, set point comparisons and scram output circuits are functioning properly.
  • the present invention provides an automatic test capability to assure that the 2/4 hardware logic relay contacts are operating correctly and ready to respond to a scram demand.
  • the test is performed periodically in the automatic mode or immediately, in response to a manually input keyboard demand for test. Testing must not cause a scram. Testing opens or closes the 2/4 relays contacts to interrupt or establish flow of current through the contacts. An automatic or manually input keyboard demand for test will not be executed if another division is performing a self test, is out of service for any reason or in the presence of any off-normal indication from the 2/4 logic circuits.
  • the comparator tests the input voltage against a reference voltage. If the input voltage exceeds the reference, a digital one value is output. If not, a digital zero is output. For example, when the signal is sent to open contacts A during testing, sensors Si, S4, S6 and S7 should go low, while sensors S2, S3, S5 and S8 remain high. Any deviation from these sensor outputs indicates that one or more of the A contacts failed to open. The faulty contact can be easily identified from the unique 8-bit (or any number of bits depending upon the number of diagnostic points sensed) code produced from the sensor outputs.
  • the digital output from each of the eight sensors for each hardware logic train are input, in parallel, to an 8-bit data input card 40 (see FIGS. 3 and 7B) plugged into the electronics chassis 4 for each RPS division.
  • the digital I/O output from all eight sensors forms a unique 8-bit digital word for each correct or faulty operation of the 2/4 hardware logic relays. That word is processed by the CPU on the electronics chassis 4.
  • Monitoring of the diagnostic, digital input port will permit each division to recognize that another division is conducting a test or is out of service and be able to report the results of each test. If a division is scheduled to conduct a test, it will query its diagnostic, digital input port. If the port is busy, the division will wait a random amount of time, then try again.
  • Testing will then consist of the division issuing a scram command to its relays. The division will read the diagnostic, digital input port. If the returned sensor pattern is correct, the test is successful and the division's display will show that the test was conducted and passed. If the pattern is incorrect, the CPU will be able to identify which hardware element failed and output an appropriate message.
  • high-value resistors 14 are arranged in parallel with contacts (see FIG. 8B).
  • An isolated analog amplifier 16 measures the voltage drop across each resistor. The amplified voltage is fed to a comparator 18. The comparator tests the input voltage against a threshold voltage. If the input voltage exceeds the threshold, a digital one value is output. If not, a digital zero is output. For example, when the signal is sent to close contacts A during testing, sensors SI, S4, S6 and S8 should go low, while sensors S2, S3 11 S5 and S7 remain high. Any deviation from these sensor outputs indicates that one or more of the A contacts failed to close. The faulty contact can be easily identified from the unique 8-bit code produced from the sensor outputs.
  • the digital output from each of the eight sensors for each hardware logic train are input, in parallel, to the 8-bit data input card 40 for each RPS divisional computer (see FIG. 7B) .
  • the digital I/O output from all eight sensors forms a unique 8-bit digital word for each correct or faulty operation of the 2/4 hardware logic relays, which is monitored as described above.
  • the RPS electronics are designed to operate at elevated temperatures (approximately 170°F) without the need for active cooling or heating, ventilation, and air conditioning (HVAC) systems.
  • a division may be serviced, on-line, at any time without causing a reactor trip.
  • the RPS is designed as a highly modularized system and may be functionally updated as technology progresses to satisfy the 60-year life requirement. Diagnostics to locate problems to the smallest, plug-in, replaceable modules are provided. This means that the system can be easily and rapidly maintained by minimally skilled technicians.
  • the RPS electronic modules e.g., CPUs, signal conditioning cards and data input cards, all plugged into the electronics chassis 4) for all four divisions and all reactors are identical, resulting in a reduced stock of spare parts required to maintain the system.
  • FIG. 9 illustrates the single line diagram for only two RPS instrument vaults.
  • the other two division vaults are supplied electrical power in a similar fashion but with origins from two different high-voltage busses.
  • All RPS instrumentation is operated by direct current (dc) voltage.
  • dc direct current
  • Each division of the RPS is supplied battery-backed, dc electrical power from two parallel, electrically isolated, dc sources (located in two different RPS division vaults) via dc busses 30 and isolation devices (e.g., diodes) 32.
  • Battery chargers 20 in each vault serve as qualifiable electrical isolation devices.
  • Each alternating current (ac) bus 22 is supplied from two different sources.
  • Each of the ac busses is sourced from either of two high-voltage ac busses for added reliability and availability.
  • Facility power is distributed throughout the plant as alternating current (ac) at a kilovolt level via busses 24.
  • a step-down transformer(s) 26 reduces the ac voltage level and supplies the battery charger 20.
  • the battery charger outputs a dc voltage for the RPS division load and to maintain the charge on a battery 28.
  • ac alternating current
  • the battery charger outputs a dc voltage for the RPS division load and to maintain the charge on a battery 28.
  • an RPS division is supplied continuing power from the battery. No switching or dc to ac inversion is involved, thus simplifying the system and eliminating additional component failure potential.
  • the RPS is designed to ensure that: (1) no single failure results in loss of the protection function and (2) removal from service of any component or channel does not result in loss of the required protection function. It is also designed to minimize false (inadvertent) scrams due to sensor malfunctions without compromising safety.
  • RPS divisional trips are based on a 2/3 division sensor data vote with each division keeping its own sensor reading as spare. However, this trip logic is different if failures occur either in the sensors, processing electronics, or communications.
  • the sensor fault produces sensor readings which are outside the reasonability bands, and are easily detected by noting the status of the sensor verification flags. Bad sensor readings are not used in the scram vote.
  • sensor B shown in FIG. 10 is bad, then the 2/3 software logic 4b for each of divisions A, C and D substitutes its own sensor reading as needed (so that each division still has three good readings from sensors A, C and D) and performs the 2/3 scram vote.
  • the software logic for division B performs its 2/3 scram vote using the normal sensor readings (from divisions A, C and D).
  • each division has two good sensor readings and issues a scram signal if either or both sensors say scram (i.e., it performs a 1/2 vote). If all three (or four) sensors are bad, then each division issues a scram command.
  • the hardware logic 6 issues a signal to the operator if two out of four divisions issue a trip signal.
  • Electronics failures include failures in key signal processing chips (signal conditioning circuit 4a in FIG. 10) in the microprocessor-based chassis 4 or failures of the systems supplying power to the chassis. Such electronic failures prevent the division output circuitry from sending the divisional "no scram" signal and that automatically puts the division in a "scram” condition, regardless of the sensor and communication system status. Thus two (or more) such electronic (CPU) failures will trigger scram regardless of whether any of the sensors are indicating scram (Fail-safe). This is equivalent to what is done in conventional RPS systems.
  • Communications failures include failures in the inter-processor communication system due to either hardware/software problems in the sending or receiving units, or noise pick-up during transmission. Such communication failures are not serious, and are detected by absence of incoming communicated sensor data. If one such failure occurs, such that a division receives data from only two instead of three other divisions, it substitutes its own data and does a 2/3 vote with no loss of reliability for the protective function. If a division receives data from only one of he other three divisions, it substitutes its own data to give two good readings and votes scram if either is above the trip setting (i.e., it does a 1/2 vote).
  • a division receives no data from any of the other divisions, then it uses its own data and issues a divisional scram with 1/1 logic, as in conventional RPS designs.
  • the RPS acts like a conventional RPS without inter-processor communication.
  • the RPS functions are to: (1) continuously monitor the safety parameters in the reactor (neutron flux, cold pool and core outlet temperatures, pump discharge pressure, and primary sodium level); (2) determine if reactor shutdown, EM pump trip, and containment isolation are needed; (3) send a trip signal to the control rod release mechanisms and drive-in motors to ensure insertion of the control rods; (4) initiate coastdown of the primary EM pumps; and (5) initiate containment isolation through IHTS valve closure and containment ventilation valve closure.
  • the RPS has four identical, parallel logic trains or divisions to perform these functions.
  • Each logic train consists of a sensor, analog input/amplifier/digital converter, digital logic unit, and trip actuator. Seven parameters are used for reactor trips.
  • Each logic train has one sensor input for each parameter. A polling of the analog inputs is performed and that determines which parameter is processed by the RPS at any instant of time.
  • levels of diagnostics are performed automatically by the RPS at differing intervals. These levels include: individual component calibration, checking of subsystem calibration/wellness, overall system performance, signal verification and validation, data exchange validation, and trip validation.
  • the four RPS divisions work together as a fault-tolerant system, that is, any failure that occurs within any division is detected and confined. Reconfiguration occurs automatically to bypass a problem area.
  • the system is capable of being repaired while operating. One entire division may be removed for service at any time without system degradation.
  • the inputs are fully fault tolerant, that is, if a failure occurs within an input section, the failure is isolated and the system is reconfigured around the failure.
  • Each of the four central processing logic units is capable of error detection, containment, and reconfiguration.
  • Each optically coupled circuit breaker is provided with a test feature such that the complete division may be automatically tested (from sensor input through to, and including, the trip breakers) at any time without the release of a control rod or initiating a reactor scram.
  • RPS Operation If a design basis event occurs and any of the reactor trip parameters exceed their safety set points, the RPS electronics 4 automatically initiates a scram sequence (see FIG. 2).
  • the reactor scram sequence begins by controlling 2/4 hardware logic 6 to interrupt the power to the latch coil holding circuits 102 which hold control elements 106 and to apply power to the drive-in motors 104, and by sending a message to the PCS 56 indicating that a reactor trip is in progress.
  • the power to the electromagnetic pump 108 from EM pump power unit 110 is disconnected by controlling 2/4 hardware logic 6, which in turn trips RPS-EM pump breakers 62 (there are two breakers for each of the three EM pump phases), thereby initiating primary flow coastdown.
  • the EM pump shutoff action does not occur until there is a confirmation that control element 106 has been inserted.
  • the scram command is initially issued, the measured flux at that instant is noted.
  • the flux level is rechecked and the EM pump shutoff action is not allowed to occur until the flux has decreased by a preset percentage from its scram initiation level. If the control rods 106 should fail to insert, this confirmation logic will allow the reactor to heat up until the passive shutdown features decrease the flux by the specified percentage and then the Thermal Shutoff System (TSS) will initiate EM pump shutoff and flow coastdown will occur.
  • the TSS comprises four thermal sensors 64 connected to 2/4 current interruption hardware logic via four thermal trip units 66 respectively. Each thermal sensor 64 provides an independent sensor reading of the EM pump temperature.
  • Release of the control rods 106 occurs within 50 msec of a decision to issue a trip command.
  • Gravitational insertion of the rods is completed within 2 sec.
  • Gravitational insertion is backed by a drive-in motor powered control element insertion.
  • the drive-in motor 104 ensures complete rod insertion within 18 sec. After scram, the reactor power decreases to less than 10% within about 2 to 3 sec.
  • the EM pump coastdown then ensures that the primary flow is reduced to a near natural circulation level over a 200-sec period of time.
  • the mixed core outlet temperature drops rapidly, then gradually increases, peaking at about 500 sec, then gradually decreases as the reactor 100 continues to cool.
  • the flow coast-down curve consists of a sharp drop in coolant flow from 100% to about 85% as soon as the power is disconnected from the EM pump 108, and then a gradual flow decrease for the next few hundred seconds as the synchronous machine 112 delivers its energy to the EM pump and flow slows down.
  • the RPS accepts a manually input request to execute a trip sequence from its own scram buttons (an action that bypasses all electronics and interrupts power to the trip breakers directly) .
  • Manual scram may also be initiated through diverse non-safety-related electronics via an operator's console 72 in the main control room 74 (FIG. 2).
  • the first method is via the DHTS to the RPS controllers, and the diverse method is via direct connection to the manual scram actuation electronics.
  • a safety-related, manually input scram command may be input to the RPS f rom the scram buttons located on the face of the console 76 in the remote shutdown facility 78.
  • the RPS In addition to the reactor scram function (including EM pump shutoff), the RPS also performs three additional functions: (1) provide data and displays for post-accident monitoring (PAM); (2) close the Inter- mediate Heat Transport System (IHTS) isolation valves 116 via IHTS valve controller 118 when a large steam generator sodium-water reaction occurs (see FIG. 13); and (3) close containment ventilation valves 120 when radiation in the containment dome and air containment effluent becomes too high (see FIG. 13).
  • PAM post-accident monitoring
  • IHTS Inter- mediate Heat Transport System
  • the RPS prevents reactor damage by closing the IHTS isolation valves 116 which isolate the intermediate heat exchanger (IHX) 117.
  • the sodium-water reaction event is sensed by the RPS pressure sensors F (FIG. 4) located in the IHTS loop, which trigger both closure of the isolation valves and reactor scram.
  • the containment ventilation valves 120 are closed by the RPS removal of power to normally open RPS breakers 88 in series with the PCS-controlled breakers 90 which connect facility power 132 to the ventilation valves 120 (see FIG. 12).
  • the scram function is independent of the containment isolation function. Most scram events (those caused by events within the reactor) do not trigger IHTS or containment valve closures.
  • the control assemblies are used by the Plant Control System (PCS) to adjust the operating power level of the reactor module.
  • the absorber bundle 106 is held at the top of its rod-like structure by a collet (latch) 126.
  • the collet 126 is connected by a rod 128 to the control rod drive mechanism where a pair of continuously energized electromagnets (latch coils) 102 hold the collet 126 closed.
  • An interruption of the electrical current to the latch coils 102 opens the collet 126, releasing the absorber bundle 106, which allows it to drop into the core 124 under its own weight (gravity-assisted insertion).
  • Each control assembly has two motors to control the positioning of the absorber bundle.
  • a shim stepping motor 130 is provided such that the PCS can make major or vernier adjustments to raise or lower each absorber bundle 106 for controlling the power of the reactor.
  • a unidirectional (in only) dc drive-in motor 104 (four times more powerful than the shim motor 130), when activated by the RPS as part of a scram sequence, drives each control assembly driveline to the bottom of its stroke to assure complete insertion of the absorber material.
  • the RPS has no control rod withdrawal capability. [This is typical of the present invention, wherein the RPS operates DC motion devices in the safe direction or safe action only.
  • Each control rod carriage 106 has limit switches that turn off the drive-in motor power at the end of the control assembly insertion. Activation of these limit switches is recognized as confirmation that the control assembly insertion is complete.
  • the RPS Initiate EM Pump Coastdown: In addition to control rod insertion, the RPS also shuts off power to the EM pump 108 (after confirmation of rod insertion) as part of the scram sequence. The RPS confirms rod insertion by noting that the flux level has decreased by a predetermined percentage, and then issues the command for EM pump shutoff. For this actuation, the RPS opens breakers between the PCS power conditioning unit 110 and the EM pump 108/synchronous machine 112. This disconnects the EM pump/synchronous machine from its normal power source. The EM pump 108 uses inertial energy stored in a flywheel connected to the synchronous machine 112 (self-excited) to provide coast-down flow.
  • FIG. 11 is a simplified single line diagram showing the EM pump power circuit and the PCS, RPS, and TSS interfaces.
  • Isolate Secondary Sodium System and Containment Ventilation System The RPS is responsible for automatic containment ventilation and IHTS isolation valve closure for events that challenge containment. Conceptual designs for these functions are shown in FIG. 13. Closure of the IHTS valves 116 is achieved by closing RPS-controlled solenoid valves in the line that delivers pneumatic power to the IHTS valves. Closure of the containment ventilation valves 120 is achieved by opening RPS-controlled breakers 88 in the valve electrical power line 132.
  • IHTS valves 116 are open when the reactor is operating to allow IHTS flow. These valves are only shut in the remote event that a sodium-water reaction causes a high-pressure condition in the IHTS lines.
  • the closure is automatic and done by the RPS controller 50 only.
  • the PCS 84 has no capability to close the valves 116. This prevents the control room operators from inadvertently closing the valves when the reactor is operating. Further, the RPS has no capability to open the valves. The PCS cannot open the valves unless the reactor has scrammed and the RPS has transitioned to the Shutdown/Maintenance mode.
  • valves can be opened (in order to start secondary sodium flow before startup) by PCS command from the control room.
  • the valves may be manually opened and closed from a local pneumatic control panel near the valves when the reactor is shutdown and the RPS is in the Shutdown/ Maintenance mode.
  • the containment ventilation valves 120 (four total, two in the intake and two at the exhaust) are closed when the reactor is operating. The only time that these valves need to be opened during operation is to freshen the air so that operations personnel can enter the containment. After personnel leave the containment, the ventilation valves are again shut. Opening and closing of these valves under normal conditions is done manually either from a local panel near the containment entrance or from the maintenance room and/or control room, using PCS electronics. However, if high radiation is detected in the containment dome 114 (see FIG.
  • FIG. 13 illustrates containment ventilation valve control by the PCS and the RPS for normal and abnormal situations.
  • auxiliary safety systems As shown in FIG. 12, three auxiliary safety systems, the rod stop system (RSS) 136, the thermal shutoff system (TSS) 138 and the ultimate shutdown system (USS) 140, have been incorporated into the liquid metal reactor design to provide margin to safety in the remote event that the RPS fails.
  • RPS rod stop system
  • TSS thermal shutoff system
  • USS ultimate shutdown system
  • the RSS 138 electronically adjusts mechanical rod stops and limits the maximum reactivity addition potential of an unprotected transient overpower event.
  • the RSS ensures a benign response to unprotected rod withdrawal events by passively limiting out-motion of the control rods by physical interference with carriage motion.
  • the components in the rod stop system include a quad-redundant controller, a rod stop drive selector, and a limited capacity power supply which controls power to each of the six rod stop adjustment drive motors, one for each control rod.
  • Absolute position sensors are used to determine control rod and stop positions.
  • the rod stop system controller is separate from the RPS controller.
  • the RSS obtains reactor power and absolute control rod position data from the redundant sensors through the RPS controller.
  • the RSS is activated by operations only as required to adjust the rod stop position.
  • the RSS controller, power breakers, power supply, stepper motor controller and distributor are located in the RPS electronics vaults 82 (FIG. 4) adjacent to the upper containment area.
  • the TSS 138 is designed to automatically shut-off the EM pumps on high temperature, in case the heat sink (IHTS) is lost (so that only RVACS cooling is available) and the RPS fails.
  • IHTS heat sink
  • the temperature within the reactor rises rapidly and triggers the inherency mechanisms to bring the reactor to a hot standby level within about 30 hr if the EM pumps are not operating.
  • each EM pump adds heat to the reactor. If the EM pumps are not shut off, the reactor's integrated heat input will exceed the heat sink capability.
  • there is a need for a mechanism to automatically turn the EM pumps off should the reactor temperature exceed a given threshold.
  • the RPS 50 provides the control power for the RPS breakers 62 in the EM pump/synchronous machine power circuit. As part of a normal scram sequence, the RPS will release these breakers to initiate an EM pump coastdown of the primary flow. In normal operation, the RPS breakers 62 are actively held in the closed position such that the EM pump (108)/synchronous machine (112) receive electrical power from the power conditioning unit (110).
  • the TSS 138 monitors the temperature of the exit sodium in each pump. It consists of four safety-related thermocouples 64 (one in each pump inlet plenum) each with a thermal trip unit 66. The sensors and trip units are separate from the RPS. If the temperature in a pump should rise above the predetermined set point, the thermal trip unit 66 associated with the pump issues a trip signal. The trip signal opens contacts 68 in the trip signal line from the RPS to the EM pump RPS breakers. The contacts are arranged such that a trip signal from any two of the four thermal trip units will result in opening the Em pump RPS breakers 62 for all four EM pumps. This will initiate a flow coastdown in all four pumps, and will terminate the thermal input by the EM pump power supply to the reactor.
  • Each EM pump contains one thermal sensor 64 connected to a thermal trip unit 66 located in one of the RPS instrument vaults 84 (FIG. 4).
  • the thermal trip unit 66 consists of conventional signal conditioning electronics, a set point comparator, and output circuitry.
  • Each thermal trip unit outputs a signal to four optically isolated relays, arranged to form a 2-out-of-4 hardware logic 68 with the relay contacts from the other three thermal trip units as shown in FIG. 4.
  • all of these relays are failsafe, that is, they require an active signal to keep the contacts closed. If there should be a multiple failure or loss of power, the contacts will open to initiate an EM pump coastdown.
  • the USS 140 provides for the shutdown of a reactor in the extremely unlikely, hypothetical condition that all other methods have failed.
  • the PCS must have failed to run in the control rods and the RPS must have failed to scram the control rods. If such failures occur, the negative reactivity feedback characteristics of the system will bring the reactor to a safe, stable condition at an elevated temperature.
  • the ultimate shutdown system can be actuated by the operator to bring the reactor to cold subcritical conditions. Operator manual action is required to initiate activation of the ultimate shutdown system from either the remote shutdown facility or the RPS vaults.
  • the ultimate shutdown system consists of a container with a poison (B 4 C absorber balls) that is released into the reactor to bring it to cold shutdown.
  • the USS is activated from a pair of buttons located in a case on the wall of the RSF and also in the RPS vaults.
  • the reactor protection system (RPS) in accordance with the invention represents a design departure from traditional reactor protection systems. This system design meets or exceeds all stated goals and maximizes the availability that can be provided by the design of a protection system. Many features of the disclosed RPS separate this design from traditional systems, including the following:
  • the passive safety features of the example reactor design mean that the after scram-required actions of the RPS are complete, the RPS continues to provide sensor data for accident monitoring.
  • the RPS design is greatly simplified.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Plasma & Fusion (AREA)
  • High Energy & Nuclear Physics (AREA)
  • Business, Economics & Management (AREA)
  • Emergency Management (AREA)
  • Monitoring And Testing Of Nuclear Reactors (AREA)
  • Safety Devices In Control Systems (AREA)
EP96923742A 1995-07-14 1996-07-11 Reactor protection system Expired - Lifetime EP0781451B1 (en)

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
US502411 1990-03-28
US08/502,337 US5586156A (en) 1995-07-14 1995-07-14 Reactor protection system with automatic self-testing and diagnostic
US08/502,411 US5621776A (en) 1995-07-14 1995-07-14 Fault-tolerant reactor protection system
US502337 1995-07-14
PCT/US1996/011521 WO1997004463A1 (en) 1995-07-14 1996-07-11 Reactor protection system

Publications (2)

Publication Number Publication Date
EP0781451A1 EP0781451A1 (en) 1997-07-02
EP0781451B1 true EP0781451B1 (en) 2001-12-19

Family

ID=27054121

Family Applications (1)

Application Number Title Priority Date Filing Date
EP96923742A Expired - Lifetime EP0781451B1 (en) 1995-07-14 1996-07-11 Reactor protection system

Country Status (5)

Country Link
EP (1) EP0781451B1 (ja)
JP (2) JPH10506476A (ja)
KR (1) KR970706581A (ja)
DE (1) DE69618160T2 (ja)
WO (1) WO1997004463A1 (ja)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015112304A3 (en) * 2013-12-31 2015-10-29 Nuscale Power, Llc Nuclear reactor protection systems and methods
AU2017248402B2 (en) * 2016-11-18 2018-10-04 Accenture Global Solutions Limited Sensor data generation and response handling stack
US10304575B2 (en) 2013-12-26 2019-05-28 Nuscale Power, Llc Actuating a nuclear reactor safety device
US11631503B2 (en) 2016-12-30 2023-04-18 Nuscale Power, Llc Control rod damping system
US11961625B2 (en) 2016-12-30 2024-04-16 Nuscale Power, Llc Nuclear reactor protection systems and methods

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5984504A (en) * 1997-06-11 1999-11-16 Westinghouse Electric Company Llc Safety or protection system employing reflective memory and/or diverse processors and communications
DE19962497A1 (de) * 1999-12-23 2001-07-05 Pilz Gmbh & Co Schaltungsanordnung zum sicheren Abschalten einer Anlage, insbesondere einer Maschinenanlage
JP2002084151A (ja) * 2000-06-28 2002-03-22 Denso Corp 物理量検出装置
FR2826726B1 (fr) * 2001-06-29 2004-01-16 Ttk Dispositif numerique de detection et de localisation de fuites de liquide
US6650722B1 (en) * 2001-12-21 2003-11-18 General Electric Company Hydraulic control unit transponder card
SE527441C2 (sv) * 2003-12-23 2006-03-07 Abb Research Ltd Förfarande vid ett säkerhetssystem för styrning av en process eller utrustning
DE102005060720A1 (de) * 2005-12-19 2007-06-28 Siemens Ag Überwachungssystem, insbesondere Schwingungsüberwachungssystem und Verfahren zum Betrieb eines solchen Systems
JP5701033B2 (ja) 2010-12-09 2015-04-15 三菱重工業株式会社 原子炉停止装置
CN102324258B (zh) * 2011-06-17 2014-06-04 中广核工程有限公司 一种防止核电站atwt机柜误驱动的方法和系统
JP5364842B1 (ja) * 2011-11-30 2013-12-11 三菱重工業株式会社 再生エネルギー型発電装置およびその制御方法
KR101395103B1 (ko) * 2012-09-03 2014-05-19 동국대학교 경주캠퍼스 산학협력단 원자력발전소 사용후연료 저장조의 보조 감시시스템 및 이를 이용한 감시 방법
CN105575448B (zh) * 2015-12-15 2017-10-31 中广核工程有限公司 核电站反应堆保护系统及其中的安全控制方法
JP6721423B2 (ja) * 2016-06-14 2020-07-15 株式会社日立製作所 アプリロジックおよびその検証方法
US10755825B2 (en) 2018-10-31 2020-08-25 Ge-Hitachi Nuclear Energy Americas Llc Passive electrical component for safety system shutdown using Faraday's law
CN112016185A (zh) * 2020-07-06 2020-12-01 中国核电工程有限公司 一种核电厂事故应对系统投运方式设计方法
CN112562878A (zh) * 2020-11-25 2021-03-26 三门核电有限公司 核电厂反应堆保护和监测系统响应时间测量装置及方法
CN113658733B (zh) * 2021-09-07 2024-04-09 山东核电有限公司 一种核电汽轮机的控制系统装置及其控制方法

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4661310A (en) * 1983-10-27 1987-04-28 Westinghouse Electric Corp Pulsed multichannel protection system with saturable core magnetic logic units
US4804515A (en) * 1984-10-31 1989-02-14 Westinghouse Electric Corp. Distributed microprocessor based sensor signal processing system for a complex process
US4752869A (en) * 1985-05-09 1988-06-21 Westinghouse Electric Corp. Auxiliary reactor protection system
EP0221775B1 (en) * 1985-10-31 1991-10-09 Westinghouse Electric Corporation Testable voted logic power circuit and method of testing the same
JPH0731537B2 (ja) * 1987-09-11 1995-04-10 株式会社日立製作所 多重化制御装置

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10304575B2 (en) 2013-12-26 2019-05-28 Nuscale Power, Llc Actuating a nuclear reactor safety device
WO2015112304A3 (en) * 2013-12-31 2015-10-29 Nuscale Power, Llc Nuclear reactor protection systems and methods
AU2017248402B2 (en) * 2016-11-18 2018-10-04 Accenture Global Solutions Limited Sensor data generation and response handling stack
US11631503B2 (en) 2016-12-30 2023-04-18 Nuscale Power, Llc Control rod damping system
US11961625B2 (en) 2016-12-30 2024-04-16 Nuscale Power, Llc Nuclear reactor protection systems and methods

Also Published As

Publication number Publication date
DE69618160T2 (de) 2002-09-05
EP0781451A1 (en) 1997-07-02
JP2007183285A (ja) 2007-07-19
JPH10506476A (ja) 1998-06-23
DE69618160D1 (de) 2002-01-31
KR970706581A (ko) 1997-11-03
WO1997004463A1 (en) 1997-02-06

Similar Documents

Publication Publication Date Title
US5621776A (en) Fault-tolerant reactor protection system
US5586156A (en) Reactor protection system with automatic self-testing and diagnostic
EP0781451B1 (en) Reactor protection system
KR102642462B1 (ko) 핵 반응기 보호 시스템 및 방법
JP7203154B2 (ja) 原子炉保護システムとこれを動作させる方法
EP0180085B1 (en) Distributed microprocessor based sensor signal processing system for a complex process
GB2093245A (en) Nuclear reactor power supply system
KR100875467B1 (ko) 독립적 이중화 구조 리던던시를 갖는 디지털 원자로보호계통 및 그 방법
Husseiny et al. Operating procedure automation to enhance safety of nuclear power plants
Park et al. Design of instrumentation and control system for research reactors
Dusek Two significant events in the NPP Dukovany in 1995
Shin et al. DIVERSITY AND DEFENSE-IN-DEPTH ANALYSIS FOR I&C SYSTEMS OF RESEARCH REACTORS: A CASE STUDY ON TWO RESEARCH REACTORS
Ohga et al. An event-oriented method for determining operation guides under emergency conditions in boiling water reactors
Chung et al. Design of advanced power reactor (APR1400) I&C system
Hellmerichs Extensions and renovations of reactor protection systems
Govindarajan et al. Computer based C and I systems in Indian PHWRs
GOVINDARAJAN MP SHARMA
Shirasawa et al. Digital I&C System in the US-APWR
Director Mr. Richard Conti NRC Region 1, Chief Examiner Mr. Larry Briggs NRC Region 1, Lead Examiner Gentlemen
Storrick Emergency Response Guideline Development
Kinsey Jice President, ESBWR Licensing
Deutschmann Detection of a regulating valve closure failure during review of recorded data after an automatic reactor shut down. Incident at the NPP Beznau-1, 27 April 1995
Cook et al. LI Reclassification
McNeil et al. Reliable, fault tolerant control systems for nuclear generating stations

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): DE FR

17P Request for examination filed

Effective date: 19970806

17Q First examination report despatched

Effective date: 19980520

GRAG Despatch of communication of intention to grant

Free format text: ORIGINAL CODE: EPIDOS AGRA

GRAG Despatch of communication of intention to grant

Free format text: ORIGINAL CODE: EPIDOS AGRA

GRAH Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOS IGRA

GRAH Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOS IGRA

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): DE FR

REF Corresponds to:

Ref document number: 69618160

Country of ref document: DE

Date of ref document: 20020131

ET Fr: translation filed
PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FR

Payment date: 20020619

Year of fee payment: 7

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 20020730

Year of fee payment: 7

PLBQ Unpublished change to opponent data

Free format text: ORIGINAL CODE: EPIDOS OPPO

PLBI Opposition filed

Free format text: ORIGINAL CODE: 0009260

PLBF Reply of patent proprietor to notice(s) of opposition

Free format text: ORIGINAL CODE: EPIDOS OBSO

26 Opposition filed

Opponent name: FRAMATOME ANP GMBH

Effective date: 20020916

PLBF Reply of patent proprietor to notice(s) of opposition

Free format text: ORIGINAL CODE: EPIDOS OBSO

PLBF Reply of patent proprietor to notice(s) of opposition

Free format text: ORIGINAL CODE: EPIDOS OBSO

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: DE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20040203

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: FR

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20040331

REG Reference to a national code

Ref country code: FR

Ref legal event code: ST

PLBD Termination of opposition procedure: decision despatched

Free format text: ORIGINAL CODE: EPIDOSNOPC1

PLBM Termination of opposition procedure: date of legal effect published

Free format text: ORIGINAL CODE: 0009276

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: OPPOSITION PROCEDURE CLOSED

27C Opposition proceedings terminated

Effective date: 20060304